complaint site 2 days old and was hacked?

MY WHOLE account with 1and1 was locked, my car site of 2000 members was closed as well due to a leak in this software

1 Our analysis of the attack
1.2 The hackers processed it through a security leak in your script/s:
FaceFlirt/index.php
site/ex/com_expose_rc4/uploadimg.php
site/ex/com_expose_rc4/uploadimage.php
1.2 A large amount of spam has been sent by the following script/s:
./FaceFlirt/ip.php
1.3 The following malicious file/s have been uploaded to your webspace:
FaceFlirt/cache/system.php
FaceFlirt/404.php
FaceFlirt/system.php
FaceFlirt/errors.php
FaceFlirt/www.chase.com
FaceFlirt/safe.ssl.confirm.onlinebankingofamerica.zip
FaceFlirt/safe.ssl.confirm.onlinebankingofamerica.com

Having disabled these files, we will unlock your account after this e-mail.
Please understand that the temporary lock was necessary to protect our
infrastructure.

help?????

whats going on?
Quote · 2 Oct 2008

Are you follow all recomendations for dolphin install? (if your script is dolphin)

Quote · 3 Oct 2008

well i downlaoded the new install files, all chmod was how i was told to do at installs.

they have locked my WHOLE ftp server

site was face-flirt.com

only on here and my msn know im buiding it up

it tells you sammy of the file in 1.3 of their email

they made a file called

confirm.onlinebankingofamerica.com

and loads php ect in there, i have removed all file now so i have no site, and waiting on them to re open my server

Quote · 3 Oct 2008

Well if this may help...we have had this same experience twice in the space of 4 days...this is the most recent online live help chat with our host's on this matter:

RoseHosting2:
Hello. How may I help you?
archie:
our server seem to be down again
archie:
www.chitchatafrica.com
RoseHosting2:
Yes, we had to stop your server. We found some illegal activities going on on your server again.
archie:
illegal activity?
RoseHosting2:
There are some phishing sites located inside the following directories:
RoseHosting2:
/home/admin/public_html/orca/log/Abbey.Co.Uk/Abbey.Co.Uk/
RoseHosting2:
/home/admin/public_html/groups/orca/js/BankofAmerica.Com/
archie:
damn!!!!
archie:
how could that be?
RoseHosting2:
I am not sure, but I think that is something connected with the orca application. It seems that this application is very insecure.
archie:
thanks for the info
archie:
any other directory please?
RoseHosting2:
All the forgery applications were uploaded via the following PHP script: /home/admin/public_html/groups/orca/index2.php .
archie:
good to know
RoseHosting2:
Also, this script was used for FTP brute force attacks to other networks.
archie:
gosh!!!!
archie:
thats terrible
RoseHosting2:
It seems that you will have to build website from scratch once again.
archie:
could you kindly do us a favor and delete those files for us?
RoseHosting2:
No, it seems that your root user password has been hacked again. So, we will have to reinstall your virtual server once again.
archie:
gosh
archie:
how did they find our new passwords?
archie:
we have a very very strong password in place
archie:
it is ridiculously strong
RoseHosting2:
I am sorry, but I do not know that. Maybe you are using dictionary based passwords.
archie:
even using symbols
RoseHosting2:
As I said before, it seems that the orca application is very insecure and the hackers were using this application to install their forgery applications.
archie:
ok
archie:
dont know the best way round it...
RoseHosting2:
All the current files of your website are somehow compromised, so if we reinstall your server once again you will have to upload all your websites' data to your server again.
archie:
mmmm...i guess if there is no other way round it
RoseHosting2:
I am sorry, but this is the only way now.

Hope this will be of some help in resolving this very compromising and urgent matter.


Also of note is that we not using orca as yet...just had it along with the dolphin package


Soonest time Boonex takes a look at this the less likely the word will go around the webmasters and developers community online to the effect that people might be put off recommending the dolphin package.


Not sure about Faceflirt, but myself i am putting on hold all the praises I have been singing about my dolpin pack :(

Quote · 3 Oct 2008

It looks as if my site might have been hacked.  Some mysterious folder just showed up called CajaMadrid.  I never put it there and it doesn't look normal.  Anyone know what this folder is?

Quote · 13 Oct 2008
 
 
Below is the legacy version of the Boonex site, maintained for Dolphin.Pro 7.x support.
The new Dolphin solution is powered by UNA Community Management System.